5 steps to enable your corporate SOC to rapidly detect and respond to IoT/OT threats

As organizations connect massive numbers of IoT/OT devices to their networks to optimize operations, boards and management teams are increasingly concerned about the expanding attack surface and corporate liability that they represent. These connected devices can be compromised by adversaries to pivot deeper into corporate networks and threaten safety, disrupt operations, steal intellectual property, expose resources for Distributed Denial of Service (DDoS) botnets and cryptojacking, and cause significant financial losses.

For example, in June 2017, a destructive cyber attack known as “NotPetya” infected thousands of computers globally and resulted in dozens of enterprises experiencing significant financial losses. One of NotPetya’s victims, a global shipping and logistics company, lost $300 million as a result of production downtime and cleanup activities.

Why industrial and critical infrastructure OT networks are at risk

According to CyberX’s 2020 Global IoT/ICS Risk Report, which analyzed network traffic from over 1,800 production OT networks, 71 percent of OT sites are running unsupported versions of Windows that no longer receive security patches; 64 percent have cleartext passwords traversing their networks; 54 percent have devices that can be remotely managed using remote desktop protocol (RDP), secure shell (SSH), and virtual network computing (VNC), enabling attackers to pivot undetected; 66 percent are not automatically updating their Windows systems with the latest antivirus definitions; 27 percent of sites have direct connections to the internet.

These vulnerabilities make it significantly easier for adversaries to compromise OT networks, whether their initial entry is via systems exposed to the internet or via lateral movement from the corporate IT network (using compromised remote access credentials, for example).

CISOs are increasingly accountable for both IT and IoT/OT security. However, according to a SANS survey, IT security teams lack visibility into the security and resiliency of their OT networks, with most respondents (59 percent) stating they are only “somewhat confident” in their organization’s ability to secure their industrial IoT devices.

How should organizations secure their IoT/OT environments?

Organizations need to invest in strengthening their IoT/OT security and structure the appropriate policies and procedures so that new IoT/OT monitoring and alerting systems will be successfully operationalized.

A key success factor is to obtain organizational alignment and solid collaboration with teams that will operate the system. In many organizations, these teams have traditionally worked in separate silos. Visibility and well-defined roles and responsibilities between IoT/OT, IT, and security personnel are key for a successful alignment. Although there can be more connectivity between the IT and the IoT/OT networks, they are still separate networks with different characteristics. Personnel operating the IoT/OT network are not always security trained, and the security staff are not familiar with the IoT/OT network infrastructure, devices, protocols, or applications. In particular, the top priority for OT personnel is maintaining the availability and integrity of their control networks—whereas IT security teams have traditionally been focused on maintaining the confidentiality of sensitive data.

To be effective, IT security teams will need to adapt their existing procedures and policies to be inclusive of the IoT/OT security world.

Gaining continuous security operations center (SOC) visibility into IoT/OT risk with Azure Defender for IoT

Azure Defender for IoT is an agentless, network-layer IoT/OT security platform that’s easy to deploy and provides real-time visibility to all IoT/OT devices, vulnerabilities, and threats—within minutes of being connected to the OT network. Based on technology from Microsoft’s acquisition of CyberX, Azure Defender for IoT uses specialized IoT/OT-aware behavioral analytics and threat intelligence to auto-discover unmanaged IoT/OT assets and rapidly detect anomalous or unauthorized activities in your IoT/OT network. Additionally, it enables you to centralize IoT/OT security monitoring and governance via built-in integration with Azure Sentinel and third-party SOC solutions such as Splunk, IBM QRadar, and ServiceNow.

According to SANS, there’s a clear difference between the detection of an attack on corporate companies versus industrial and critical infrastructure organizations with control networks. While 72 percent of organizations without OT environments detected a compromise within seven days, only 45 percent of organizations with OT environments were able to do the same.

Reducing the time between compromise and detection is a key catalyst for enabling your SOC with real-time IoT/OT alerts and detailed contextual information about your IoT/OT assets and vulnerabilities.

Detect and respond to IoT/OT incidents faster

To operationalize security alerts from the IoT/OT network, you must integrate them with your existing SOC workflows and tools. Given the significant investments that organizations have already made in a centralized SOC, it makes sense to bring IoT/OT security into their existing SOC and to expand the SOC responsibilities to be able to manage IoT/OT incidents as well. This next step will create a productive working environment between the teams. Integration of the SOC within the IoT/OT environment can create a competitive advantage for the organization.

Modern SOCs rely heavily on SIEM solutions to operate efficiently. This means that IoT/OT security alerts and investigation processes should be delivered to the SOC team via their preferred SIEM solution. SIEM solutions provide security value by normalizing and correlating data across the enterprise, including data ingested from firewalls, applications, servers, and endpoints.

As of today, most of our customers (78 percent) who have deployed Azure Defender for IoT and have SIEM, have integrated (or are in the process of integrating) IoT/OT security into their SIEM platform and SOC workflows.

Integrating IoT/OT security with your SIEM in five steps:

Step 1: Forward IoT/OT security events to the SIEM

The first step in a successful SOC integration is to integrate IoT/alerts with your organizational SIEM. This capability is supported out of the box with Azure Defender for IoT. After integrating Azure Defender for IoT with a SIEM, clients typically spend a short time tuning which alerts are forwarded to the SIEM to reduce alert fatigue.

Azure Defender for IoT drop-down menu showing built-in integrations with broad range of SIEM, ticketing, firewall, and NAC systems

Figure 1: Azure Defender for IoT integrates out-of-the-box with a broad range of SIEM, ticketing, firewall, and NAC systems.

Step 2: Identify and define IoT/OT security threats and SOC incidents

The second step is agreeing on which IoT/OT security threats the organization would like to monitor in the SOC, based on the organizational threat landscape, industry needs, compliance, and more. Once relevant threats are defined, you can define the use cases that constitute an incident within the SOC.

For example, a common use case is an unauthorized change to OT equipment, such as an unauthorized change to Programmable Logic Controller (PLC) code—since this can take down production and potentially cause a safety incident. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversary initially compromised a Windows workstation in the OT network and then uploaded a malicious back door to the PLC using a legitimate industrial control system (ICS) command (you may recognize this as an excellent example of an OT-specific living-off-the-land tactic).

This type of activity is immediately detected when Azure Defender for IoT detects a deviation from the OT network baseline, such as a programming command sent from a new device. Azure Defender for IoT incorporates Layer 7 Deep Packet Inspection (DPI) and patented IoT/OT-aware behavioral analytics using Finite-State Machine (FSM) modeling to create a baseline of OT network activity. Compared to generic baselining algorithms developed for IT networks (which are largely non-deterministic), this approach is optimized for the deterministic nature of OT networks—resulting in a faster learning period with fewer false positives and false negatives. Additionally, deeply analyzing high-fidelity network traffic, including at the application layer, enables the platform to identify malicious OT commands and not just deviations in source/destination information.

In this particular use case, unauthorized changes to PLC ladder logic code can be an indication of either new functionality or parameters being programmed into the PLC, which typically only happens on rare occasions: an error on the part of a control engineer or a misconfigured application. In all these cases, the SOC should investigate with plant personnel to determine if the activity was malicious or legitimate.

Step 3: Create SIEM detection rules

Once IoT/OT security threat use cases are defined, you can create detection rules and severity levels in the SIEM. Only relevant incidents will be triggered, thus reducing unnecessary noise. For example, you would define PLC code changes performed from unauthorized devices, or outside of work hours, as a high severity incident due to the high fidelity of this specific alert.

Step 4: Define SOC workflows for resolution

The fourth step is to define workflows for resolution. This will also help remove ambiguity between IT security and OT teams about who is responsible for investigating unusual activities (note that unclear roles and responsibilities were also an important factor in the TRITON incident, until a second attack two months later).

The goal is to enable Tier 1 SOC analysts to handle most IoT/OT incidents and only escalate to specialized IoT/OT security experts when needed. This means defining the appropriate workflow for mitigation and creating automated investigation playbooks for each use case.

For example, when the SOC receives an alert that PLC code changes have been initiated, check first if the programming device is an authorized engineering workstation, and then if it occurred during normal work hours, whether it happened during a scheduled change window, etc. If the answer to these questions is no, you should immediately disconnect the rogue workstation from the network (or block it with a firewall rule, if possible).

Here’s an example of a logical workflow for resolution:

Example of a built-in automated SOAR playbook for Azure Sentinel initiated by an OT-specific alert generated by Azure Defender for IoT

Figure 2: Example of a built-in automated SOAR playbook for Azure Sentinel initiated by an OT-specific alert generated by Azure Defender for IoT

Step 5: Training and knowledge transfer

The fifth step is to provide comprehensive training to all stakeholders – for example, teach the SOC team about the unique characteristics of OT environments, so they can have intelligent conversations with IoT/OT personnel when resolving incidents and can implement remediation actions that are relevant (and not harmful) for OT environments.

Azure Defender for IoT and Azure Sentinel: Better together

Azure Sentinel is the first cloud-native SIEM/SOAR platform on a major public cloud. It delivers all the advantages of a cloud-based service, including simplicity, scalability, and lower total cost of ownership; provides a bird’s eye view across IT and OT to enable rapid detection and response for multistage attacks that cross IT/OT boundaries (like TRITON); incorporates machine learning combined with continuously-updated threat intelligence from trillions of signals collected daily.

Azure Defender for IoT is deeply integrated with Azure Sentinel, providing rich contextual information to SOC analysts beyond the basic information provided by simple Syslog alerts. For example, it provides detailed information about which IoT/OT assets associated with an alert including device type, manufacturer, the protocol used, firmware level, etc.

Azure Sentinel has also been enhanced with IoT/OT-specific SOAR playbooks. The integrated combination of these two solutions helps SOC analysts detect and respond to IoT/OT incidents faster—so you can prevent incidents before they have a material impact on your firm.

In the screenshot below, you can see a built-in Sentinel investigation experience for an IoT/OT security use case:

Interactive investigation graph in Azure Sentinel, produced from real-time OT monitoring data generated by Azure Defender for IoT

Figure 3: Interactive investigation graph in Azure Sentinel, produced from real-time OT monitoring data generated by Azure Defender for IoT. 

Learn more

If you’d like to learn more and see a full demo of how Azure Defender for IoT and Azure Sentinel can be used together to detect and investigate a sophisticated attack, check out our Microsoft Ignite session or read the blog “Go inside the new Azure Defender for IoT including CyberX.”

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.